First, i'm very new to stack overflow (first question posted) and forums in general. In addition to this downfall, I'm also new to development and databases other than at a Systems Administration type level.
I see several questions about using variables in Python with the MySQLdb module on stackoverflow. Many of them have mention of SQL Injection code like this. The answer with 70 + upvotes gives you an example where % appears to be the deciding character in whether or not your code is susceptible to SQL Injection. My questions are:
Do I understand correctly that the "" % (VAR) instead of "", (VAR) is what makes the difference ?
If that is the case, then is this post also an example or is there something different with using the % to designate a table vs a clause ?
It is noteworthy to mention I've tried learning more about SQL Injection. Not sure if I'm too dense or the material is but i'm just not following. In this article by cisco I tried to follow, I find that there is no mention of a percent but instead they appear to be using ?. So if someone can point me to some "layman's" documentation I would appreciate that!
